Second Stage 2 HITECH Rule Advances

A second rule for Stage 2 of the HITECH Act electronic health record incentive program has moved closer to publication. The Department of Health and Human Services on July 31 sent the final version of the EHR software certification rule to the Office of Management and Budget for review, the last step before a regulation is published in the Federal Register.

The certification rule sets standards for EHR software eligible for the incentive program. A proposed version of the rule included a provision that EHRs must be able to demonstrate the capacity to encrypt data on mobile devices in circumstances where electronic health record technology manages the data flow on the device.

On July 16, HHS submitted to OMB the final version of the Stage 2 "meaningful use" rule, which sets detailed requirements for hospitals and physician groups to prove they are meaningfully using EHRs and, thus, qualify for additional incentive payments. A proposed version of the rule called for requiring hospitals and physician groups to conduct a security risk analysis that includes "addressing the encryption/security of data at rest."

Earlier, federal officials had indicated the final versions of both of the Stage 2 rules would be published in the Federal Register by the end of summer (see: HIPAA, HITECH Updates Inch Closer). But in the past, OMB has taken from several weeks to many months to complete its reviews.

Comments on Rule

Earlier, in commenting on the encryption provision for mobile devices included in the proposed Stage 2 software certification rule, the HIMSS Electronic Health Record Association, which represents EHR vendors, supported the provision.

"Lost end-user devices represent a significant data breach risk to covered entities. We applaud the decision to allow the option to either encrypt end-user devices or make sure no data remains on end-user devices (managed by the technology)," the association wrote (see: Industry Debates Stage 2 EHR Rules).

But the records vendor association sought "clarity on when electronic health information is 'managed' by the EHR."

About the Author

Anderson is news editor of Information Security Media Group and was founding editor of HealthcareInfoSecurity and DataBreachToday. He has more than 40 years of journalism experience, with a focus on healthcare information technology issues. Before launching HealthcareInfoSecurity, he served as founding editor of Health Data Management magazine, where he worked for 17 years, and he served in leadership roles at several other healthcare magazines and newspapers.

Operation Success!

Risk Management Framework: Learn from NIST

From heightened risks to increased regulations, senior leaders at all levels are pressured to
improve their organizations' risk management capabilities. But no one is showing them how -
until now.

Learn the fundamentals of developing a risk management program from the man who wrote the book
on the topic: Ron Ross, computer scientist for the National Institute of Standards and
Technology. In an exclusive presentation, Ross, lead author of NIST Special Publication 800-37
- the bible of risk assessment and management - will share his unique insights on how to:

Understand the current cyber threats to all public and private sector organizations;

Develop a multi-tiered risk management approach built upon governance, processes and
information systems;

Enter your email address to reset your password

Already have anISMG account?

Forgot Your Password Message:

Contact Us

Already have anISMG account?

Our website uses cookies. Cookies enable us to provide the best experience possible and help us understand how visitors use our website. By browsing govinfosecurity.com, you agree to our use of cookies.